[seniorsassycat]

I'm not sure I understand what dotenv does (or why you would need it to do it).

[Aqua_Geek]

It loads environment variables from a .env file when starting your app so that you don't have to do

$ SECRET_TOKEN=abcdef SOME_OTHER_VAR=hello rails s

or pollute your .profile with a bunch of app-specific variables.

You don't need it to do it; it just makes it easier.

[duaneb]

Couldn't you just read the file directly? e.g.

    secret_token = File.read('secret_token_dont_check_in')

I fail to see how loading the file into the environment and then into the variable is anything but worse.

[masklinn]

The original issue is people checking their secret token files into their VCS repository and publishing that. Getting the secret token from the ENV means it probably won't be checked into the repo.

[duaneb]

It's still a file (how do you think it gets into the environment?). Whether it's a ruby file or a .env file or a yaml file, it's still equally at risk of being checked in.